Skip to content

sql injection risk when when using order. #2906

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
levansuper opened this issue Jan 12, 2015 · 4 comments · Fixed by #2919
Closed

sql injection risk when when using order. #2906

levansuper opened this issue Jan 12, 2015 · 4 comments · Fixed by #2919
Assignees
@mickhansen
Labels
P1: important For issues and PRs. type: bug DEPRECATED: replace with the "bug" issue type

Comments

@levansuper
Copy link

Test.findAndCountAll({
where: { id :1 },
order : [['id', 'DESC; delete from test;']]
})

when the client sends parameters of which columns should be ordered with there is a risk of sql injection.
this works with PostgreSQL. I haven't tested with other databases though.
@mickhansen mickhansen added P1: important For issues and PRs. type: bug DEPRECATED: replace with the "bug" issue type labels Jan 12, 2015
@mickhansen
Copy link
Contributor

It's likely safe to assume that the second argument of an order statement could only ever be ASC or DESC

@mickhansen mickhansen added this to the 2.0.0 final release milestone Jan 12, 2015
@mickhansen mickhansen self-assigned this Jan 12, 2015
fixe added a commit to seegno-forks/sequelize that referenced this issue Jan 13, 2015
@fixe
Add order keywords whitelist
f6ff86f 
Fixes sequelize#2906
@fixe fixe mentioned this issue Jan 13, 2015
Merged
@Zolmeister
Copy link

Please update npm
https://nodesecurity.io/advisories/sequelize-sql-injection-order

@mickhansen
Copy link
Contributor

@Zolmeister We will. Can always use a git reference in the meantime.

@mickhansen
Copy link
Contributor

I will likely push a new NPM version after i fix #2969 tonight.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mickhansen mickhansen

Labels
P1: important For issues and PRs. type: bug DEPRECATED: replace with the "bug" issue type
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add order keywords whitelist seegno-forks/sequelize
3 participants
@levansuper @mickhansen @Zolmeister